To quote, with suitable modification, an immortal line from The Dark Knight, the Digital Personal Data Protection (DPDP) Act, which just got notified by the government into effect, “is the law everyone needed, but perhaps not the one they deserved.”

Gotham City never understood the good intentions of its Batman, but the question is whether India can come around to embracing with open arms one of the most monumental pieces of legislation in recent times — the DPDP Act that puts down in law how privacy in the digital world ought to be governed.

“With the notification of the DPDP Act and the accompanying rules, India’s data-protection regime has moved decisively from promise to practice,” said Akshay Garkel, partner & leader (cyber), Grant Thornton Bharat, a consultancy major.

But if initial responses are any indication, there is a sense of deja vu and disillusionment amidst all quarters — from activists to ordinary citizens to businesses and big tech.

In spirit, the DPDP follows the one which went before, Europe’s General Data Protection Regulations or GDPR. The new rules sets clear definitions on how private data is to be handled, how consent is to be taken (as well as withdrawn), checklists for businesses to follow while processing personal data, how data breaches are to be reported, how data needs to be stored and especially, the touchy topic of protecting privacy of underage Indians.

Entities guilty of breaches or stealing personal data can incur up to Rs 250 crore in fine — all to be monitored and decided by a Data Protection Board, whose constitution and how the members are selected, will be keenly watched.

The biggest complaint probably stems from the way the law was watered down over the years, since the historic Puttuswamy judgement of the Supreme Court in 2017 set forth the dire requirement of a data privacy mechanism in the country. The government appointed the Justice B.N.Srikrishna Committee report, but by the time the draft law which went into Parliament came out, it had undergone tweaking and dilution in the hands of bureaucrats and policymakers first and then through a contentious process at a Parliamentary Committee and finally passed into law much mutated from its initial form.

While the government sources argued this was the outcome of a transparent consultative process, many point fingers at intense lobbying by Big Tech, as well as the government itself not letting go off a chance at playing ‘Big Brother’ with the aid of a law as pivotal as this.

In fact, if you go by some dire predictions, the DPDP may just prove to be the opposite — a regime in which the powers that be have more access to personal data, even while citizen rights like the Right to Information (RTI) get diluted.

The first casualty of DPDP has been the watering down of RTI, whereby public officials can now deny requests for information arguing that the said information infringes on the right to privacy of public officials (whosoever it may be in question).

“There is an ambiguity in terms of defined personal information that allows significant discretion to government agencies to deny information that was previously accessible. The current rules are unclear on how to balance privacy concerns with RTI disclosures and process the required information,” said Vikas Bansal, partner (IT risk advisory & assurance) with BDO India, an accounting, tax and advisory firm.

The staggered implementation, with businesses given time up to May 2027, has been another brow-raising point — surprising considering that the law itself was not implemented for more than a year citing this example.

“(This is) to give companies sufficient time to develop and put in place required internal policies and procedures ensuring compliance with the statutory obligations under the DPDPA,” argued Kalindhi Bhatia, Partner at the law firm BTG Advaya, adding, “Given the heavy penalties prescribed under the law and depending on the level of revamp in personal data handling practices of a company, the phased enforcement is welcome.”

How Big Tech will be handled, especially with all the data of Indians they have access to in this digital age, is another big question. Some even described the delaying of the implementation of the law akin to “shutting the stable doors after the horses have bolted”.

Indian, as well as international, companies have seriously complex new formats staring in their face — from implementing encryption and monitoring to operationalising consent and notice management as well as data breach management. All this involves not just huge expenses, but requires a resolute intent to implement the new law in letter and in spirit. Will it come through considering India Inc’s jugaad culture?

As Mayuran Palanisamy, partner with Deloitte India put it, “While these rules are a significant step forward, the successful implementation will require ongoing collaboration among regulators, businesses, and consumers. It is essential that organisations take proactive steps to comply with these regulations, ensuring not only legal adherence but also the responsible handling of personal data.”